TÜV Rheinland Blog - Insights from Asia and Africa

Mind your “I”s and “O”s in Industrial Cyber Security

Posted by TUV Rheinland on Jun 5, 2017 4:49:23 PM
TUV Rheinland

 This is a review of the Panel Discussion session in Asia ICS Cyber Security in Singapore: ‘The “I”s and “O”s’, a reference to the ‘I/O devices’ in Industrial Control System (ICS), as well as the Information Technology (IT) and Operational Technology (OT). This session discusses the needed IT and OT skillsets within the company: the differences, overlaps, and the importance of top management involvement in cyber security.

AICSC2017_Manuel Diez panel side.jpg



Should ‘IT’ overtake ‘OT’, or should ‘OT’ overtake ‘IT’?

IT and OT are very different by default. IT is about connecting things up, OT is about isolating things down. IT focuses about data integrity and confidentiality, OT concerns about safety and availability. This description can go on, but you get the idea.

These two functions has been existing separately in the past, but as the Industrial Internet-of-things emerging (IIoT), these two inadvertently merging, and as any case when two different things come together, it creates frictions, and the more different they are, the rougher the frictions.

Sometime getting the right answer is about asking the right question. Asking “which function will rule them all”, is not going to bring us closer to the solution, because it is not about “conquering”, but “uniting”. They may have different perspectives on ‘safety and security’, but both have valid points. The two functions will continue to exist, together or separately, but to implement cyber security in industrial settings, there must be a mutual understanding between IT and OT, and it take place most commonly through a cross-over disciplinary between IT and OT of the plant’s personnel.


So, should ‘IT People’ take up the OT role, or should the ‘OT People’ be trained in IT?

Another tricky question of a similar nature. OT personnel know the process control, but IT people is the master of the cyber security topic, but then OT personnel tend to be more conservative so they should be the ideal candidate for security matter. It is harder for non-IT people to learn IT competencies, but it is easier to get ready-information and formal training on IT. Precisely what makes a question tricky: its contradiction and dilemma.

IT personnel can take up OT role if they are provided with enough information in the workplace. However, typically it is the OT personnel who take up the expanded IT role, because, by and large, IT has a universal knowledge base, whereas OT is often plant-specific.

The important here is: we need to see this transformation from the right angle: we are not “teaching an old dog a new trick”. We are teaching a dog how to meow.


Is a vendor´s remote access good or bad?

Another tricky question that will go ugly if not answered properly. From traditional IT perspective, “backdoors” are bad. A backdoor equates to a vulnerability; and in its very nature, IT hunts down backdoors. In OT, a remote access is an additional access for maintenance and troubleshooting. Having a backdoor could mean a mental relief in OT, especially in time of crisis, and usually has a physical switch to allow or not the access. All these differences started at the root, because a backdoor is called differently in IT and OT.

Although backdoor may have different names, but the understanding should be unified. We should look at it simply as a point of entry or exit, and focus more in recognizing, analyzing, and controlling what goes in or out from there.


How do we start cyber security in an SME?

Cyber security is always about expenditures, and in SMEs, getting a decent dedicated budget for cyber security is a real challenge. To begin with, we need to assess it with common sense. Size is not absolute, it is relative. For a 25 people manufacturer with 1 small safety process, it will be ridiculous to spend one million dollars in cyber security.

The moment you have an intention to start investing cyber security, it is already a good start, because the starting point is really not about money, but awareness. You cannot have a meaningful start in cyber security without aligning the understanding of what is cyber security in the organization, and this is the importance of education and training. Start with the understanding of what is the risk and what is at stake, and then move on from there.


 AICSC2017_Nakao-san asking question.jpgAICSC2017_Manuel Diez panel zoom.jpg

The Panel Discussion was moderated by Mr. Manuel Diez, the Global Business Field Coordinator for Lifting equipment & Machinery and Electrical Engineering & Automation from TÜV Rheinland.


More information:


Topics: cybersecurity, Functional Safety